Extracted

• • Target

    003.exe

  • Size

    567KB

  • MD5

    3e6d8c01cf6f30ba50c9bf80d64249b2

  • SHA1

    83cdb36f8f49901d504d4cef417c1a47cab8fa9d

  • SHA256

    cd4521a750a5be16379c573fda96dd95aa018eaa2029ed897586502bbe9b4ac5

  • SHA512

    e84d7a37fe6f565a9c838cec593d254225aa9ee41ec35635bd6ed3016372ae0f82aced1f731e73dd42c5f289230f0e73aa4e828d12a95d84330bfbf686d6b820

  • SSDEEP

    12288:rPUQF0/0sETNO6Sp7FO6ZQ8iy25XX8tVAUQKjYn:rLELh6gRO6ZW5XuAF

  Score

  10^/10

  snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2